[OpenID] CLARIFICATION: Is OpenID Discovery Optional?
Peter Williams
pwilliams at rapattoni.com
Tue Jan 6 16:17:04 UTC 2009
One can ask the question another way, more effectively.
If an rp recovers an xrds from a users vanity url and completes openid auth, can the rp locally cache the resource under is own policy and use that cache of metadata the next time someone initiates openid auth (plus discovery)
There are n variations on this "control" theme, for https and its metadata (certs) too, only present during this mode of discovery. Can a rp reject a https server cert within 6 months of its expiry date? Can an rp apply its own date extension override policy to accept an https cert that is expired but only by 24h, say? Can the rp accept an https cert when it cannot actually talk to the ocsp server located in one of certs in the chain? If the crl marks a server cert as suspended, can the rp override and use it (but not "rely" on it) as if valid?
________________________________
From: David Fuelling <sappenin at gmail.com>
Sent: Tuesday, January 06, 2009 8:04 AM
To: general at openid.net List <general at openid.net>; specs at openid.net <specs at openid.net>; board at openid.net <board at openid.net>
Subject: [OpenID] CLARIFICATION: Is OpenID Discovery Optional?
All,
Wondering if anybody, especially the original OIDF Board and any contributor's to the OpenID Auth 2.0 spec could comment on this question for me.
Is OpenID Discovery, as seen in section 7.3 of the Auth spec, optional? More specifically, is the information returned by discovery meant to be Authoritative for a particular OpenID or OP Endpoint, or is it merely meant to be "Informative".
Thanks!
David
ps - for those interested, see the other mail-list thread entitled, "DISCUSSION relating to OpenID Discovery 2.1" for more fine-grained details surrounding this question and it's possible answers.
More information about the general
mailing list